HIGH

REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter name reference in embedded JavaScript.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
REST List Paramete…

Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. Additionally, a view contai…

Build With Parameters Plugin 1.5 and earlier does not escape parameter names and descriptions.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Build With Parameters Plugin 1.5.1 …

Artifact Repository Parameter Plugin 1.0.0 and earlier does not escape parameter names and descriptions.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Artifact Repository Param…

Claim Plugin 2.18.1 and earlier does not escape the user display name shown in claims.
This results in a cross-site scripting (XSS) vulnerability exploitable by attackers who are able to control the display names of Jenkins users, either via the securi…

A vulnerability exists in CakePHP versions 4.0.x through 4.1.3. The CsrfProtectionMiddleware component allows method override parameters to bypass CSRF checks by changing the HTTP request method to an arbitrary string that is not in the list of request…

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names …

Jenkins allows administrators to choose the markup formatter to use for descriptions of jobs, builds, views, etc. displayed in Jenkins. When editing such a description, users can choose to have Jenkins render a formatted preview of the description they…

Jenkins provides XML REST APIs to configure views, jobs, and other items. When deserialization fails because of invalid data, Jenkins 2.274 and earlier, LTS 2.263.1 and earlier stores invalid object references created through these endpoints in the Old…

A denial-of-service vulnerability exists in the way Kestrel parses HTTP/2 requests. The security update addresses the vulnerability by fixing the way the Kestrel parses HTTP/2 requests. Users are advised to upgrade.
References

https://nvd.nist.gov/vul…